[Openswan Users] OpenSWAN truncating NSS passwords

John A. Sullivan III jsullivan at opensourcedevel.com
Sat Oct 24 04:47:46 EDT 2009 

On Sat, 2009-10-24 at 04:42 -0400, John A. Sullivan III wrote:
> On Sat, 2009-10-24 at 08:50 +0300, Tuomo Soini wrote:
> > Avesh Agarwal wrote:
> > 
> > > It is surprising why it is happening. Anyway as you say that it is 
> > > truncating, one way of dealing with it, for example, say your password 
> > > is "1234", may be you can put "1234x" in the file. Just a workaround.
> > 
> > I have a guess. I think he didn't insert lf at the end of the line an
> > code looks for it and removes. So code should be changed to check for lf
> >  and possibly crlf et the end of the line and only remove it if those
> > are there.
> > 
> > > I will look into it soon. But again, I have been using it and i did not 
> > > experience it.
> > 
> Yes, I do have more information.  Inserting the line feed seems to send
> the correct password now.  However, it is still not working.  There
> seems to be some confusion about where passwords go - certainly in my
> mind.  There are three possible
> files, /etc/ipsec.secrets, /etc/ipsec.d/nss.certs,
> and /etc/ipsec.d/nsspassword.
> 
> The documentation says the NSS store password goes in nsspassword so
> that's where I placed it.
> 
> I've heard conflicting advice about the rest.  I interpreted the
> documentation to say that ipsec.secrets should contain the nickname of
> the cert.  It said nothing about passwords.  If it should take a
> password, I do not know if it is the password for the store or the key.
> I have also been told that it is completely unnecessary.
> 
> The documentation also says to create nss.certs with the nick name of
> the cert.  It mentioned nothing about passwords but I've also been told
> that the store password goes there.
> 
> So here are the results from the various permutations:
> No passwords anywhere except nsspassword.  Certs referenced without
> passwords in both ipsec.secrets and nss.certs:
> Oct 24 04:29:51 fw01 ipsec__plutorun: Starting Pluto subsystem...
> Oct 24 04:29:51 fw01 pluto[12480]: nss directory plutomain: /etc/ipsec.d
> Oct 24 04:29:51 fw01 pluto[12480]: NSS Initialized
> Oct 24 04:29:51 fw01 pluto[12480]: Non-fips mode set in /proc/sys/crypto/fips_enabled
> Oct 24 04:29:51 fw01 pluto[12480]: Non-fips mode set in /proc/sys/crypto/fips_enabled
> Oct 24 04:29:52 fw01 pluto[12480]: Changing to directory '/etc/ipsec.d/crls'
> Oct 24 04:29:52 fw01 pluto[12480]:   loaded crl file 'SSICRL.pem' (1669 bytes)
> Oct 24 04:29:52 fw01 pluto[12480]: | NSS: length of decrypted sig = 35
> Oct 24 04:29:52 fw01 pluto[12480]: | NSS : RSA Signature verified, hash values matched
> Oct 24 04:29:52 fw01 pluto[12480]: loading certificate from fw01.ssiservices.biz - biz
> Oct 24 04:29:52 fw01 pluto[12480]: added connection description "a10-Aville2Net192"
> Oct 24 04:29:52 fw01 pluto[12480]: loading certificate from fw01.ssiservices.biz - biz
> Oct 24 04:29:52 fw01 pluto[12480]: added connection description "a10-Aville2Net172"
> Oct 24 04:29:52 fw01 pluto[12480]: loading secrets from "/etc/ipsec.secrets"
> Oct 24 04:29:52 fw01 pluto[12480]: loaded private key for keyid: PPK_RSA:AwEAAa9J8
> Oct 24 04:29:52 fw01 pluto[12480]: "a10-Aville2Net192" #1: initiating Main Mode
> Oct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: initiating Main Mode
> ct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> Oct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: I am sending my cert
> Oct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: I am sending a certificate request
> Oct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: Password passed to NSS is NSS Generic Crypto Services:<Correct - but it must think it is wrong or it wouldn't print it>
> Oct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: Password passed to NSS is NSS Generic Crypto Services:<Correct - but it must think it is wrong or it wouldn't print it>
> Oct 24 04:29:52 fw01 pluto[12480]: "a10-FP2Net192" #2: Can't find the private key from the NSS CERT (err -8177)
> 
> Put password into nss.certs but not ipsec.secrets:
> Same as above
> 
> Put password in both nss.certs and ipsec.secrets:
> Same as above
> 
> Put password into ipsec.secrets only:
> Almost the same as above except we see:
> Oct 24 04:37:25 fw01 pluto[14011]: "a10-Aville2Net192" #3: Main mode peer ID is ID_DER_ASN1_DN: 'DC=com, DC=ebc-co, OU=VPNGateways, CN=AmityvilleSGGW'
> Oct 24 04:37:25 fw01 pluto[14011]: | NSS: length of decrypted sig = 35
> Oct 24 04:37:25 fw01 pluto[14011]: | NSS : RSA Signature verified, hash values matched
> Oct 24 04:37:25 fw01 pluto[14011]: "a10-Aville2Net192" #3: no crl from issuer "DC=biz, DC=ssiservices, OU=PKI, CN=ssiclientca" found (strict=no)
> Oct 24 04:37:25 fw01 pluto[14011]: | NSS: length of decrypted sig = 35
> Oct 24 04:37:25 fw01 pluto[14011]: | NSS : RSA Signature verified, hash values matched
> Oct 24 04:37:25 fw01 pluto[14011]: "a10-Aville2Net192" #3: I am sending my cert
> 
> I don't know if this is because the other side was initiating or because
> there is some difference.  In any event, it still fails.
> 
> What do we do next to troubleshoot? Thanks - John
By the way, if I comment out the cert entry in ipsec.secrets the
connection fails even when there is no NSS store password:
Oct 24 04:44:54 fw01 pluto[15080]: "a10-FP2Net192" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Oct 24 04:44:54 fw01 pluto[15080]: "a10-FP2Net192" #2: I am sending my cert
Oct 24 04:44:54 fw01 pluto[15080]: "a10-FP2Net192" #2: I am sending a certificate request
Oct 24 04:44:54 fw01 pluto[15080]: "a10-FP2Net192" #2: unable to locate my private key for RSA Signature
Oct 24 04:44:54 fw01 pluto[15080]: "a10-FP2Net192" #2: sending notification AUTHENTICATION_FAILED to 96.57.73.70:500
Oct 24 04:45:04 fw01 pluto[15080]: "a10-FP2Net192" #2: discarding duplicate packet; already STATE_MAIN_I2

When I add the cert nickname to ipsec.secrets and remove the NSS store
password, it all works - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

More information about the Users mailing list